[Bug 711061] Re: [MIR] openjpeg2

Eduardo dos Santos Barretto Wed, 08 Jan 2020 11:25:54 -0800

I reviewed openjpeg2 2.3.1-1 as checked into focal. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.


openjpeg2 is a library to encode and decode JPEG 2000 images. JPEG 2000 is an
image compression standard and coding system. OpenJPEG dates back from 2005
and has become the JPEG 2000 reference software in 2015.

- CVE History:
  - openjpeg has been assigned CVEs every year since 2012. For Xenial we still
    have some 2016 CVEs that we are unaware of the fix. There are also a couple
    of CVEs that don't have fix or we are unsure if they were solved:
    CVE-2018-16376, CVE-2018-20846, CVE-2019-6988
  - Upstream is responsive and willing to fix security issues, but they still
    need to improve on how to communicate about the fixes.
- Build-Depends:
  - cmake
  - debhelper
  - default-jdk
  - dh-apache2
  - help2man
  - javahelper
  - libcurl4-gnutls-dev or libcurl-ssl-dev
  - libfcgi-dev
  - liblcms2-dev
  - libpng-dev
  - libtiff-dev
  - libxerces2-java
  - zlib1g-dev
- postinst, prerm and postrm scripts automatically added
- No init scripts
- No systemd units
- No dbus services
- No setuid binaries
- binaries in PATH
  - /usr/bin/opj_compress - This program reads in an image of a certain type
    and converts it to a JPEG2000 file.
  - /usr/bin/opj_decompress - This program reads in a JPEG2000 image and
    converts it to another image type.
  - /usr/bin/opj_dump - This program reads in a JPEG2000 image and dumps the
    contents to stdout.
  - /usr/bin/opj_jp3d_compress - compress into JP3D volume.
  - /usr/bin/opj_jp3d_decompress - decompress JP3D volume.
  - /usr/bin/opj_dec_server - server to decode JPT/JPP-stream and communicate
    locally with JPIP client, which is coded in java.
  - /usr/bin/opj_jpip_addxml - embed metadata into JP2 file.
  - /usr/bin/opj_jpip_test - test index code format of a JP2 file.
  - /usr/bin/opj_jpip_transcode - convert JPT/JPP-stream to JP2 or J2K.
  - /usr/bin/opj_server - JPIP server supporting HTTP connection and
    JPT/JPP-stream.
  - /usr/bin/opj_jpip_viewer
- No sudo fragments
- No udev rules
- openjpeg2 has 1478 tests under tests/, including Google's oss-fuzzers setup.
  - some of those tests are CVEs reproducers.
- No cron jobs
- Build logs:
  - Multiple compiler warnings:
/<<PKGBUILDDIR>>/src/lib/openjp2/openjpeg.c:1041:30: warning: cast between 
incompatible function types from int (*)(FILE *) {aka int (*)(struct _IO_FILE 
*)} to void (*)(void *) [-Wcast-function-type]
/<<PKGBUILDDIR>>/src/bin/jp3d/opj_jp3d_decompress.c:488:5: warning: ignoring 
return value of fread, declared with attribute warn_unused_result 
[-Wunused-result]
/<<PKGBUILDDIR>>/src/bin/jp3d/convert.c:111:5: warning: ignoring return value 
of fread, declared with attribute warn_unused_result [-Wunused-result]
/<<PKGBUILDDIR>>/src/bin/jp3d/convert.c:118:5: warning: ignoring return value 
of fread, declared with attribute warn_unused_result [-Wunused-result]
/<<PKGBUILDDIR>>/src/bin/jp3d/convert.c:119:5: warning: ignoring return value 
of fread, declared with attribute warn_unused_result [-Wunused-result]
/<<PKGBUILDDIR>>/src/bin/jp3d/convert.c:130:5: warning: ignoring return value 
of fread, declared with attribute warn_unused_result [-Wunused-result]
/<<PKGBUILDDIR>>/src/bin/jp3d/convert.c:131:5: warning: ignoring return value 
of fread, declared with attribute warn_unused_result [-Wunused-result]
/<<PKGBUILDDIR>>/src/bin/jp3d/convert.c:132:5: warning: ignoring return value 
of fread, declared with attribute warn_unused_result [-Wunused-result]
/<<PKGBUILDDIR>>/src/bin/jp3d/convert.c:133:5: warning: ignoring return value 
of fread, declared with attribute warn_unused_result [-Wunused-result]
/<<PKGBUILDDIR>>/src/bin/jp3d/convert.c:300:9: warning: ignoring return value 
of fscanf, declared with attribute warn_unused_result [-Wunused-result]
/<<PKGBUILDDIR>>/src/bin/jp3d/convert.c:529:9: warning: ignoring return value 
of fgets, declared with attribute warn_unused_result [-Wunused-result]
/<<PKGBUILDDIR>>/src/bin/jp3d/convert.c:851:9: warning: ignoring return value 
of fgets, declared with attribute warn_unused_result [-Wunused-result]
/<<PKGBUILDDIR>>/src/bin/jp3d/convert.c:111:5: warning: ignoring return value 
of fread, declared with attribute warn_unused_result [-Wunused-result]
/<<PKGBUILDDIR>>/src/bin/jp3d/convert.c:118:5: warning: ignoring return value 
of fread, declared with attribute warn_unused_result [-Wunused-result]
/<<PKGBUILDDIR>>/src/bin/jp3d/convert.c:119:5: warning: ignoring return value 
of fread, declared with attribute warn_unused_result [-Wunused-result]
/<<PKGBUILDDIR>>/src/bin/jp3d/convert.c:130:5: warning: ignoring return value 
of fread, declared with attribute warn_unused_result [-Wunused-result]
/<<PKGBUILDDIR>>/src/bin/jp3d/convert.c:131:5: warning: ignoring return value 
of fread, declared with attribute warn_unused_result [-Wunused-result]
/<<PKGBUILDDIR>>/src/bin/jp3d/convert.c:132:5: warning: ignoring return value 
of fread, declared with attribute warn_unused_result [-Wunused-result]
/<<PKGBUILDDIR>>/src/bin/jp3d/convert.c:133:5: warning: ignoring return value 
of fread, declared with attribute warn_unused_result [-Wunused-result]
/<<PKGBUILDDIR>>/src/bin/jp3d/convert.c:300:9: warning: ignoring return value 
of fscanf, declared with attribute warn_unused_result [-Wunused-result]
/<<PKGBUILDDIR>>/src/bin/jp3d/convert.c:529:9: warning: ignoring return value 
of fgets, declared with attribute warn_unused_result [-Wunused-result]
/<<PKGBUILDDIR>>/src/bin/jp3d/convert.c:851:9: warning: ignoring return value 
of fgets, declared with attribute warn_unused_result [-Wunused-result]
/<<PKGBUILDDIR>>/src/bin/jp2/opj_decompress.c:482:36: warning: . directive 
writing 1 byte into a region of size between 0 and 4095 [-Wformat-overflow=]
/<<PKGBUILDDIR>>/src/bin/jp2/opj_compress.c:543:31: warning: 
__builtin___sprintf_chk may write a terminating nul past the end of the 
destination [-Wformat-overflow=]
/<<PKGBUILDDIR>>/src/bin/jp2/opj_compress.c:556:36: warning: . directive 
writing 1 byte into a region of size between 0 and 4095 [-Wformat-overflow=]
/usr/include/x86_64-linux-gnu/bits/string_fortified.h:106:10: warning: 
__builtin_strncpy specified bound 4 equals destination size 
[-Wstringop-truncation]
/usr/include/x86_64-linux-gnu/bits/string_fortified.h:106:10: warning: 
__builtin_strncpy specified bound depends on the length of the source argument 
[-Wstringop-overflow=]
/usr/include/x86_64-linux-gnu/bits/string_fortified.h:106:10: warning: 
__builtin_strncpy specified bound depends on the length of the source argument 
[-Wstringop-overflow=]
/usr/include/x86_64-linux-gnu/bits/string_fortified.h:106:10: warning: 
__builtin_strncpy specified bound depends on the length of the source argument 
[-Wstringop-overflow=]
/usr/include/x86_64-linux-gnu/bits/string_fortified.h:106:10: warning: 
__builtin_strncpy specified bound depends on the length of the source argument 
[-Wstringop-overflow=]
/usr/include/x86_64-linux-gnu/bits/string_fortified.h:106:10: warning: 
__builtin_strncpy specified bound depends on the length of the source argument 
[-Wstringop-overflow=]
/usr/include/x86_64-linux-gnu/bits/string_fortified.h:106:10: warning: 
__builtin_strncpy specified bound depends on the length of the source argument 
[-Wstringop-overflow=]
/<<PKGBUILDDIR>>/src/bin/jp2/convertpng.c:78:16: warning: variable rows might 
be clobbered by longjmp or vfork [-Wclobbered]
/<<PKGBUILDDIR>>/src/bin/jp2/convertpng.c:79:16: warning: variable row32s might 
be clobbered by longjmp or vfork [-Wclobbered]
/<<PKGBUILDDIR>>/src/bin/jp2/convertpng.c:81:18: warning: variable image might 
be clobbered by longjmp or vfork [-Wclobbered]
/<<PKGBUILDDIR>>/src/bin/jp2/convertpng.c:78:16: warning: variable rows might 
be clobbered by longjmp or vfork [-Wclobbered]
/<<PKGBUILDDIR>>/src/bin/jp2/convertpng.c:79:16: warning: variable row32s might 
be clobbered by longjmp or vfork [-Wclobbered]
/<<PKGBUILDDIR>>/src/bin/jp2/convertpng.c:81:18: warning: variable image might 
be clobbered by longjmp or vfork [-Wclobbered]
/<<PKGBUILDDIR>>/src/bin/jp2/convertpng.c:78:16: warning: variable rows might 
be clobbered by longjmp or vfork [-Wclobbered]
/<<PKGBUILDDIR>>/src/bin/jp2/convertpng.c:79:16: warning: variable row32s might 
be clobbered by longjmp or vfork [-Wclobbered]
/<<PKGBUILDDIR>>/src/bin/jp2/convertpng.c:81:18: warning: variable image might 
be clobbered by longjmp or vfork [-Wclobbered]
/<<PKGBUILDDIR>>/src/lib/openjpip/jpipstream_manager.c:68:27: warning: %02d 
directive writing between 2 and 11 bytes into a region of size between 9 and 16 
[-Wformat-overflow=]

- Lintian failures
ignoring dump failure
dh_install: Please use dh_missing --list-missing/--fail-missing instead
W: openjpeg2 source: file-without-copyright-information 
tools/travis-ci/knownfailures-Ubuntu14.04-gcc4.8.4-x86_64-Debug-3rdP.txt
E: Lintian run failed (policy violation)
Lintian: fail

- No processes spawned
- Memory management
  - openjpeg2 has plenty of memory operations and it is exactly where most of
    its CVEs come from: heap-buffer overflow, buffer overflow, excessive
    memory allocation, excessive iteration, just to name a few.
- File IO
  - Contrary to the memory issues, openjpeg2 didn't have (I may be overlooking
    here) any CVEs related to files and passing PATHs that might give you
    rights to read or write from somewhere you couldn't. There're lots of file
    IO to look through but it appears that they are doing a good job on it.
- No logging for itself, but it does logs errors and passes it to any calling 
library that is
  using openjpeg.
- Environment variable usage
  - OPJ_NUM_THREADS
  - QUERY_STRING
  - USE_OPJ_SET_DECODED_RESOLUTION_FACTOR
  - SKIP_OPJ_SET_DECODE_AREA
  - Looks safe.
- No use of privileged functions
- No use of cryptography
- No use of temp files
- Use of networking
  - JPIP stream
- No use of WebKit
- No use of PolicyKit

- cppcheck showed a few resource leaks that can be easily patched, but also 
shows common programming mistakes
- Coverity also points to resource leaks.

- We decided to contribute to the upstream project since some of the
issues cppcheck and coverity pointed are quite simple to fix, so a PR
was sent, still no reply yet. We will continue to contribute on a best
effort since the code quality can still be improved.

Security team ACK for promoting openjpeg2 to main as long as the following 
binaries reside in universe:
- libopenjp2-tools
- libopenjp3d-tools
- libopenjpip-viewer
- libopenjpip-dec-server
- libopenjpip-server

Those binaries contain the command-line utilities mentioned previously
and most of the flaws relate to this commands.

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-16376

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-20846

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-6988

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/711061

Title:
  [MIR] openjpeg2

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openjpeg2/+bug/711061/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 711061] Re: [MIR] openjpeg2

Reply via email to